Channels

Services

Orphan root certificate creates confusion

The Mozilla Foundation is planning to remove a root certificate issued by RSA (RSA Security 1024 V3) from the certificate stores for its products. Browsers use root certificates for purposes such as verifying whether server SSL certificates are genuine.

The announcement was triggered by a piece of research by Kathleen Wilson, who is responsible for deciding which root certificates should be included in the certificate store supplied with the Firefox web browser. Her audit found that it was not possible to determine the current owner of said certificate. Root certificates can be valuable and are sometimes sold on. Identifying the current owner is also important for future audits.

In response to an enquiry from Wilson, both RSA and VeriSign stated that the certificate did not belong to them. This led some members of the mozilla.dev.security.policy Google group to express the concern that a fake certificate had somehow managed to be included in the Mozilla Foundation's (and Apple's) certificate collection. This, however, turned out to be unfounded, as RSA belatedly admitted that it had originally issued the certificate.

In the continuing absence of a response on the question of current ownership, the Mozilla Foundation announced that it would delete the certificate, in part because it remained unclear who was in possession of the private key associated with the certificate. Shortly thereafter, RSA got back to the Mozilla Foundation with the news that it was indeed the current owner and was in possession of the private key. It also stated that the certificate, which is designated as being valid until 2026, was no longer required and that the Mozilla Foundation could happily delete it. RSA has since told The H's associates at heise Security that the certificate, which was issued in 2001, has never been used and that there are no plans to use it in future.